CVE-2018-14468
Description
A buffer over-read in tcpdump's FRF.16 parser (mfr_print) before 4.9.3 allows remote attackers to cause a denial of service or possibly execute arbitrary code.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A buffer over-read in tcpdump's FRF.16 parser (mfr_print) before 4.9.3 allows remote attackers to cause a denial of service or possibly execute arbitrary code.
Vulnerability
A buffer over-read vulnerability exists in the mfr_print() function in print-fr.c of tcpdump, specifically in the FRF.16 (Frame Relay Fragmentation) parser. This flaw affects tcpdump versions prior to 4.9.3. The over-read occurs when processing malformed FRF.16 frames, leading to reading beyond the allocated buffer boundaries [2][3].
Exploitation
An unauthenticated remote attacker can exploit this vulnerability by sending a specially crafted network packet to a system running a vulnerable version of tcpdump. When tcpdump captures and parses the malicious FRF.16 frame, the mfr_print() function performs an out-of-bounds read. No special privileges or user interaction is required beyond the victim running tcpdump in capture mode [2][3].
Impact
Successful exploitation could cause tcpdump to crash, resulting in a denial of service. The Ubuntu security advisory notes that this vulnerability could also potentially allow arbitrary code execution, depending on the memory layout and attacker control over the over-read data [2][3].
Mitigation
The vulnerability is fixed in tcpdump version 4.9.3. Users should upgrade to this version or later. Ubuntu has released updated packages in USN-4252-1 and USN-4252-2 for various releases [2][3]. No workarounds are available; updating tcpdump is the recommended mitigation.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
11- tcpdump/tcpdumpdescription
- osv-coords9 versionspkg:rpm/opensuse/tcpdump&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/tcpdump&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/tcpdump&distro=openSUSE%20Tumbleweedpkg:rpm/suse/tcpdump&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015pkg:rpm/suse/tcpdump&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP1pkg:rpm/suse/tcpdump&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2011%20SP3pkg:rpm/suse/tcpdump&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/tcpdump&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/tcpdump&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5
< 4.9.2-lp150.10.1+ 8 more
- (no CPE)range: < 4.9.2-lp150.10.1
- (no CPE)range: < 4.9.2-lp151.4.6.1
- (no CPE)range: < 4.99.1-1.2
- (no CPE)range: < 4.9.2-3.9.1
- (no CPE)range: < 4.9.2-3.9.1
- (no CPE)range: < 3.9.8-1.30.13.1
- (no CPE)range: < 3.9.8-1.30.13.1
- (no CPE)range: < 4.9.2-14.17.1
- (no CPE)range: < 4.9.2-14.17.1
Patches
2d9a693b04326VERSION set for release
1 file changed · +1 −1
VERSION+1 −1 modified@@ -1 +1 @@ -4.9.3rc2 +4.9.3
aa3e54f59438(for 4.9.3) CVE-2018-14468/FRF.16: Add a missing length check.
4 files changed · +8 −0
print-fr.c+5 −0 modified@@ -493,6 +493,11 @@ mfr_print(netdissect_options *ndo, switch (ie_type) { case MFR_CTRL_IE_MAGIC_NUM: + /* FRF.16.1 Section 3.4.3 Magic Number Information Element */ + if (ie_len != 4) { + ND_PRINT((ndo, "(invalid length)")); + break; + } ND_PRINT((ndo, "0x%08x", EXTRACT_32BITS(tptr))); break;
tests/frf16_magic_ie-oobr.out+2 −0 added@@ -0,0 +1,2 @@ +FRF.16 Control, Flags [Begin, End, Control], Unknown Message (0x00), length 3714318497 + IE Magic Number (3), length 3: (invalid length)[|mfr]
tests/frf16_magic_ie-oobr.pcap+0 −0 addedtests/TESTLIST+1 −0 modified@@ -572,6 +572,7 @@ olsr-oobr-2 olsr-oobr-2.pcap olsr-oobr-2.out -v ikev1_id_ipv6_addr_subnet-oobr ikev1_id_ipv6_addr_subnet-oobr.pcap ikev1_id_ipv6_addr_subnet-oobr.out -v isakmp-various-oobr isakmp-various-oobr.pcap isakmp-various-oobr.out -v aoe-oobr-1 aoe-oobr-1.pcap aoe-oobr-1.out -v -c1 +frf16_magic_ie-oobr frf16_magic_ie-oobr.pcap frf16_magic_ie-oobr.out -v -c1 # bad packets from Katie Holly mlppp-oobr mlppp-oobr.pcap mlppp-oobr.out
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
17- lists.opensuse.org/opensuse-security-announce/2019-10/msg00050.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2019-10/msg00053.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/62XY42U6HY3H2APR5EHNWCZ7SAQNMMJN/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNYXF3IY2X65IOD422SA6EQUULSGW7FN/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R2UDPOSGVJQIYC33SQBXMDXHH4QDSDMU/mitrevendor-advisoryx_refsource_FEDORA
- usn.ubuntu.com/4252-1/mitrevendor-advisoryx_refsource_UBUNTU
- usn.ubuntu.com/4252-2/mitrevendor-advisoryx_refsource_UBUNTU
- www.debian.org/security/2019/dsa-4547mitrevendor-advisoryx_refsource_DEBIAN
- seclists.org/fulldisclosure/2019/Dec/26mitremailing-listx_refsource_FULLDISC
- github.com/the-tcpdump-group/tcpdump/blob/tcpdump-4.9/CHANGESmitrex_refsource_MISC
- github.com/the-tcpdump-group/tcpdump/commit/aa3e54f594385ce7e1e319b0c84999e51192578bmitrex_refsource_CONFIRM
- lists.debian.org/debian-lts-announce/2019/10/msg00015.htmlmitremailing-listx_refsource_MLIST
- seclists.org/bugtraq/2019/Dec/23mitremailing-listx_refsource_BUGTRAQ
- seclists.org/bugtraq/2019/Oct/28mitremailing-listx_refsource_BUGTRAQ
- security.netapp.com/advisory/ntap-20200120-0001/mitrex_refsource_CONFIRM
- support.apple.com/kb/HT210788mitrex_refsource_CONFIRM
- support.f5.com/csp/article/K04367730mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.